As telehealth services surged in response to the COVID-19 pandemic, unique compliance challenges likewise developed in unexpected ways. Recognizing these challenges, the Office of Civil Rights (“OCR”) indicated that it would exercise its enforcement discretion by declining to impose penalties against covered health care providers for instances of good faith noncompliance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) in connection with the provision of telehealth services. In effect, a covered health care provider seeking to use audio or video communication technology to provide telehealth services during the public health emergency could do so with greater flexibility.

As the public health emergency draws to a relative close and many of the regulatory flexibilities expire or are otherwise rolled back, it is important that providers and health plans remain vigilant to the status of these measures. In an effort to facilitate a smooth transition, the OCR issued guidance (the “Guidance”) on June 13, 2022 addressing use of audio-only technology to render telehealth services in accordance with the HIPAA.[1]

1. Background of HIPAA

HIPAA generally governs the use, maintenance, and disclosure of protected health information (“PHI”) and specifically applies to qualifying health care providers, health plans, and clearinghouses (each a “Covered Entity”). In an effort to address the many challenges that arise in handling PHI, HIPAA is comprised of multiple components, the two most significant of which include the Privacy Rule[2] and the Security Rule.[3]

The Privacy Rule generally protects the confidentiality of health information by, among other items, establishing standards which restrict how covered entities may use PHI while also increasing a given patient’s right to control his/her PHI. The Security Rule creates standards for PHI that is stored or transmitted in electronic media (“ePHI”), by mandating certain administrative, physical, and technical safeguards for the protection of such PHI.

Both the Privacy Rule and Security Rule generally apply to the rendering of telehealth services.

2. Privacy Rule Concerns

Covered Entities may use remote communication technology to provide telehealth services, including audio-only services, in compliance with the Privacy Rule. Generally, the Privacy Rule requires that Covered Entities implement reasonable safeguards to protect the confidentiality of PHI from impermissible uses or disclosures. The Guidance specifies that, by way of an example, OCR requires Covered Entities to furnish telehealth services in a private setting, where possible. To the extent a private setting is not available, OCR requires Covered Entities to utilize reasonable safeguards to limit incidental disclosures of PHI, such as by using lowered voices or by avoiding the use of speakerphone technology.

In addition, the Guidance also provides that if an individual is not known to a Covered Entity, such Covered Entity must verify the identity of the individual either orally or in writing. HIPAA does not mandate a specific method to complete this verification. The Guidance does however stress that Covered Entities must be mindful of civil rights laws which require communication with an individual with a disability to be as effective as the means used with others, including through use of auxiliary aids and services if appropriate. In addition, the Guidance notes that a Covered Entity may need to use language assistance services in order to both appropriately verify a given patient’s identity as well as to provide meaningful access to patients with limited English proficiency.

3. Security Rule Concerns

The Security Rule generally does not apply to audio-only telehealth services provided by a Covered Entity using a standard landline. OCR considers the information conveyed via a landline as not being “electronic” for purposes of HIPAA. In contrast, the Guidance clarifies that information conveyed through Voice over Internet Protocols or mobile technologies that use such resources as the Internet, intra- and extra-nets, cellular, or WiFi services, traditionally qualify as “electronic” for purposes of HIPAA. In addition, the Guidance indicates that the Security Rule applies to information transmitted by using certain applications on smartphones or other devices, technologies that electronically record or transcribe telehealth sessions, or services which electronically store audio messages.

The Guidance further clarifies that a Covered Entity’s annual risk analysis and day-to-day management efforts should consider:

  • Whether the technology being used increases the risk that a transmission could be intercepted by an unauthorized third party;
  • Whether the remote communication technology supports encrypted transmissions which could assist in safeguarding ePHI;
  • Whether there is a risk that ePHI created or stored as a result of a telehealth session could be accessed by an unauthorized third party;
  • Whether authentication is required to access the device or application where a telehealth session’s related ePHI is stored; and
  • Whether the device or application automatically terminates the session or locks after inactivity.

Such considerations must be assessed and addressed, where possible, to better meet a Covered Entity’s obligations under HIPAA.

4. Business Associate Agreements

In many circumstances a Covered Entity must execute a business associate agreement (“BAA”) prior to disclosing PHI to a business associate, which is a party that carries out certain functions on behalf of a Covered Entity that involve the use or maintenance of PHI. Each BAA outlines the parties’ responsibilities under HIPAA with respect to the PHI in question, as well as other important contractual terms.

The Guidance clarifies that under certain circumstances, a Covered Entity may conduct audio-only telehealth services using a remote communication technology supplied by a vendor without executing a BAA. Specifically, a vendor who only maintains transient access to the PHI it transmits and merely serves as a conduit for the PHI would not be obligated to execute a BAA. The Guidance clarifies that if a vendor is not creating, receiving, or maintaining PHI on behalf of the Covered Entity, and if such vendor does not require access to PHI on a routine basis, no business associate relationship exists. As a result, no BAA is required. It is important to keep in mind that where a vendor relationship exceeds that of a mere conduit, a BAA would likely be required.

It is important to keep in mind that where a vendor relationship exceeds that of a mere conduit, a BAA would likely be required.